XOR Inc. Privacy Policy

Effective from: 11 May 2026

XOR Inc. (“Company”, “XOR”, “us”, “we”, or “our”) is committed to protecting the privacy of the people whose personal data we process. This Privacy Policy explains how we collect, use, disclose, store and protect personal data in connection with our services, our website at https://xor.ai (“Website”), and our talent deployment platform (“Platform”), collectively referred to as the “Services”.

This Privacy Policy is written to comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), the UK General Data Protection Regulation (“UK GDPR”), the Swiss Federal Act on Data Protection (“FADP”), the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), and other applicable data protection laws.

If you do not accept this Privacy Policy, please do not use our Services. You can request deletion of your personal data at any time by emailing privacy@xor.ai.

1. Who We Are

Controller of personal data:

XOR, Inc.
Registered office: 1209 Orange Street, Wilmington, New Castle County, DE 19801, United States
Mailing address: 7901 4th St N #31435, St. Petersburg, FL 33702, United States
EIN: 81-4126129
Email: privacy@xor.ai

Privacy Contact. For all privacy-related inquiries, requests, and complaints, please contact:

Email: privacy@xor.ai (You may also use input@xor.ai, which routes to the same team.)

EU Representative (Article 27 GDPR):

XOR, Inc. has appointed Data Protection Representative Limited (trading as DataRep) as its Article 27 representative in the EU/EEA, with effect from 7 May 2026 (DataRep client reference: XORI01). Data subjects in the EU/EEA may contact DataRep using any of the following methods:

Online request form: datarep.com/data-request
Email: datarequest@datarep.com (please quote “XOR Inc.” in the subject line)
Postal mail (default address — Ireland): DataRep, The Cube, Monahan Road, Cork, T12 H1XY, Republic of Ireland

DataRep also maintains contact locations in each of the 27 EU member states, plus Norway and Iceland in the EEA. Data subjects who prefer to mail a local address can find the address for their country via the online request form. When mailing, address your letter to “DataRep” — not to “XOR Inc.” — otherwise it may not reach us.

UK Representative (Article 27 UK GDPR):

XOR, Inc. has appointed Data Protection Representative Limited (trading as DataRep) as its Article 27 representative in the United Kingdom, with effect from 7 May 2026 (DataRep client reference: XORI01). Data subjects in the UK may contact DataRep using any of the following methods:

Online request form: datarep.com/data-request
Email: datarequest@datarep.com (please quote “XOR Inc.” in the subject line)
Postal mail: DataRep, 107-111 Fleet Street, London, EC4A 2AB, United Kingdom

When mailing, address your letter to “DataRep” — not to “XOR Inc.” — otherwise it may not reach us.

Swiss Representative (Article 14 FADP):

XOR, Inc. has appointed Data Protection Representative Limited (trading as DataRep) as its Article 14 representative in Switzerland, with effect from 7 May 2026 (DataRep client reference: XORI01). Data subjects in Switzerland may contact DataRep using any of the following methods:

Online request form: datarep.com/data-request
Email: datarequest@datarep.com (please quote “XOR Inc.” in the subject line)
Postal mail: DataRep, Leutschenbachstrasse 95, Zurich, 8050, Switzerland

When mailing, address your letter to “DataRep” — not to “XOR Inc.” — otherwise it may not reach us.

EU Legal Representative under the Digital Services Act (Article 13 DSA):

XOR, Inc. has also appointed Data Protection Representative Limited (trading as DataRep) as its Legal Representative under Article 13 of the Digital Services Act for the EU/EEA, with effect from 7 May 2026. For matters relating to the DSA — including reports of illegal content and inquiries from EU/EEA recipients of our SaaS service — DataRep can be contacted at:

Online request form: datarep.com/data-request
Email: digitalrequest@datarep.com (please quote “XOR Inc.” in the subject line)
Postal mail: DataRep, The Cube, Monahan Road, Cork, T12 H1XY, Republic of Ireland
Phone: +353 (1) 919 8899

General queries about XOR’s services should not be directed to DataRep. For all non-data-protection and non-DSA matters, please contact us directly at privacy@xor.ai.

2. Definitions

“Personal data” means any information relating to an identified or identifiable natural person.

“Processing” means any operation performed on personal data, including collection, storage, use, disclosure, and deletion.

“Candidate” means an individual who has been contacted by XOR, or who has created an account on the Platform, for the purpose of being considered for placement with one of our Clients.

“Contractor” means a Candidate who has entered into a contract with XOR to be placed with one of our Clients.

“Client” means a company that uses XOR’s Services to source and engage contractors.

“Client Contact” means an individual employee of a Client who interacts with XOR on behalf of that Client.

“Platform” means the XOR talent deployment platform, including its database, the Aurora AI assistant, and all associated features.

“Aurora” means the AI assistant deployed within the Platform that supports both Candidates and Clients.

3. What XOR Does

XOR is an AI talent deployment platform that sources, vets, and places engineers (primarily machine learning, reinforcement learning, and AI engineers) with frontier AI companies. We identify Candidates through professional networks (including LinkedIn and the ODS.ai community), direct applications on our Website, and referrals. Candidates who agree to proceed create an account on the Platform, where their profile is matched against open roles at our Clients and, if selected, they are engaged as Contractors and placed with a Client.

The Platform uses an AI assistant, Aurora, to support Candidates through the application and onboarding process and to support Clients in reviewing matches.

4. Categories of Data Subjects and Data We Collect

We process personal data about the following categories of individuals:

4.1 Candidates and Contractors

When we first identify a potential Candidate through public professional networks, we may view publicly available profile information (name, current role, employment history, skills) before any contact is made. No personal data is stored in our systems at this stage.

Once a Candidate agrees to proceed and creates an account on the Platform, we collect and process:

Identity and contact data: full name, email address, phone number, country of residence, city.
Professional data: CV, employment history, education, technical skills, code samples, published work, GitHub profile, LinkedIn profile.
Engagement data: availability, desired rates, preferred working arrangements, time zone.
Interview and assessment data: responses to screening questions, interview notes, assessment results, communication with our recruiters and with Aurora.
Identity document data (Contractors only): a copy of a government-issued identity document, used to confirm identity for contracting and tax purposes. We do not currently process biometric data; if we introduce automated biometric verification in the future, we will update this Policy and obtain explicit consent before doing so.
Contracting and payment data (for Contractors only): tax identification information, bank account details for payment, home address, signed contracts and amendments, invoices, timesheet data.
Placement data: the Client you are placed with, role, start and end dates, performance-related communications from the Client.
Technical and usage data: IP address, device and browser information, session logs, timestamps, pages viewed on the Platform.

4.2 Client Contacts

For individuals who interact with XOR on behalf of a Client, we collect:

Name, business email address, business phone number, job title, employer.
Communications with XOR (email, messages, calls).
Information about Candidates and Contractors shared with them through the Platform.
Contract and billing information (names of signatories, invoicing details).

4.3 Website Visitors

When you visit our Website, we automatically collect:

IP address, browser type, operating system, device type, referrer URL.
Pages visited, time on page, click events.
Cookie and similar tracking data (see Section 13).
Any information you voluntarily submit through contact forms, demo requests, or support tickets.

4.4 Applicants via Direct Application

If you apply directly through the Website (for example, by submitting a form expressing interest), we collect the information you provide in your submission and treat your application the same way we treat a Candidate profile.

5. How We Collect Personal Data

Directly from you, when you create an account, submit an application, respond to our outreach, sign a contract, or communicate with us.
From public professional networks, such as LinkedIn and the ODS.ai community, limited to publicly available profile information, before initiating contact.
From Clients, when they share feedback or communications about your engagement.
Automatically, through cookies, logs, and analytics when you use the Website or Platform (see Section 13 for the third-party tools active on our Website).

6. Legal Bases for Processing (GDPR and UK GDPR)

We process personal data under one or more of the following legal bases:

6.1 Consent (Article 6(1)(a))

We rely on consent for:

Sending marketing communications to Candidates and Client Contacts.
Non-essential cookies and analytics on our Website (see Section 13).

You may withdraw consent at any time by contacting privacy@xor.ai or, for marketing, by using the unsubscribe link in our emails. Withdrawal does not affect the lawfulness of processing before withdrawal.

6.2 Performance of a Contract (Article 6(1)(b))

We rely on contract performance for:

Managing your Candidate or Contractor account on the Platform.
Processing payments, invoices, and tax-related information for Contractors.
Facilitating your placement with a Client.
Servicing our contractual relationships with Clients.

6.3 Legitimate Interests (Article 6(1)(f))

We rely on legitimate interests for:

Initial outreach to potential Candidates via professional networks. Before contacting you, we review publicly available professional profile information. Our legitimate interest is to identify and contact qualified engineers for roles with our Clients. We have weighed this interest against your rights and concluded that this processing is reasonable in a professional recruiting context, where individuals who publish their professional profiles on networks such as LinkedIn have a reasonable expectation of being contacted about relevant opportunities. You have the right to object to this processing at any time (see Section 11).
Analytics and improvement of our Services.
Security monitoring and fraud prevention.
Defending and enforcing our legal rights.
Business-to-business communications with Client Contacts about XOR's services.

A Legitimate Interests Assessment is maintained internally and available to supervisory authorities on request.

6.4 Legal Obligation (Article 6(1)(c))

We rely on legal obligation to:

Retain tax and accounting records.
Respond to lawful requests from public authorities.
Comply with anti-fraud, anti-money-laundering, and sanctions screening requirements.

7. How We Use Personal Data (Purposes of Processing)

To operate the Platform and provide the Services.
To match Candidates with Client roles (see Section 8 on automated decision-making).
To verify the identity of Contractors using documentary evidence for contracting and tax purposes.
To communicate with you about your account, applications, placements, and contractual matters.
To process payments to Contractors and invoices to Clients.
To improve our Services, develop new features, and train our internal tools.
To ensure the security of the Platform and investigate suspicious activity.
To comply with legal, tax, and regulatory obligations.
To send marketing communications, with consent where required.
To defend legal claims and enforce our agreements.

8. Automated Decision-Making and Profiling

The Platform uses automated matching, including the Aurora AI assistant, to identify Candidates who may be suitable for Client roles. Matching considers factors such as technical skills, experience, availability, location, and preferred rates, weighted against a Client’s role requirements.

No hiring decision is made solely by an automated system. Every shortlist produced by the Platform is reviewed by a human recruiter at XOR before a Candidate is presented to a Client. The final hiring decision is made by the Client based on human review.

You have the right under Article 22 GDPR not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. If you believe an automated step has affected you, you may:

Request human review of the decision.
Express your point of view.
Contest the decision by contacting privacy@xor.ai.

9. Sub-Processors and Third-Party Recipients

We use the following third-party providers to operate the Services. Each is bound by a data processing agreement that incorporates, where personal data leaves the EU, UK, or Switzerland, the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum (or UK IDTA), and Swiss-equivalent safeguards as applicable.

Platform sub-processors (app.xor.ai)

Provider	Role	Location	Transfer Mechanism
Supabase	Database and file storage (production)	Ireland (EU, eu-west-1)	No transfer required for EU data
Supabase (staging)	Non-production environment	United States (us-east-2)	Synthetic data only; no real personal data
Clerk	Authentication	United States	Standard Contractual Clauses
Vercel	Hosting and CDN	United States (parent), EU edge regions	Standard Contractual Clauses
Anthropic (Claude API)	Aurora AI assistant	United States	Standard Contractual Clauses
Resend	Transactional email	United States	Standard Contractual Clauses
Clockify	Time tracking	European Union (Croatia)	No transfer required for EU data
Slack	Internal team communication	United States	Standard Contractual Clauses

Website sub-processors and tracking technologies (xor.ai)

Provider	Role	Location	Transfer Mechanism
HubSpot	CRM, marketing, and Website analytics	United States	Standard Contractual Clauses
LinkedIn	Insight Tag (conversion measurement and audience analytics)	United States / Ireland	Standard Contractual Clauses
Microsoft	Bing Universal Event Tracking (conversion measurement)	United States	Standard Contractual Clauses
Google	Ads conversion tracking and Analytics	United States	Standard Contractual Clauses

We also disclose personal data to:

Clients, as part of the core placement service. When you are matched with a Client, we share your profile, CV, and relevant professional information with them so they can assess you for a role. Clients act as independent data controllers for their subsequent use of your data.
Tax authorities, auditors, and professional advisors, as required by law or to defend our legal rights.
Law enforcement and public authorities, where required by a lawful request.
Successors in interest, if XOR is involved in a merger, acquisition, or asset sale.

We do not sell personal data and we do not share personal data for cross-context behavioral advertising. The third-party tags listed under “Website sub-processors” support our own marketing measurement; they are not used to sell or share your personal data with third parties for their own advertising purposes.

An up-to-date list of sub-processors is available on request.

10. International Transfers

XOR is established in the United States. Production data for EU Candidates and Client Contacts is stored on servers in the European Union (Supabase eu-west-1, Ireland). However, some of our sub-processors are located in the United States or other countries outside the European Economic Area.

For transfers of EU personal data to the United States and other third countries, we rely on the European Commission’s Standard Contractual Clauses (Module 2 for controller-to-processor transfers, Module 3 for processor-to-processor where applicable) as approved under Commission Implementing Decision (EU) 2021/914. We also conduct transfer impact assessments in line with the Court of Justice of the European Union’s Schrems II judgment (C-311/18) and apply supplementary technical and organizational measures where appropriate, including encryption in transit and at rest, access controls, and contractual restrictions on government access.

For transfers of UK personal data, we use the UK’s International Data Transfer Addendum to the EU SCCs or the UK International Data Transfer Agreement. For transfers of Swiss personal data, we apply Swiss-equivalent safeguards.

Copies of the relevant Standard Contractual Clauses are available on request by emailing privacy@xor.ai.

11. Your Rights

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under the GDPR, UK GDPR, and FADP. We also extend these rights, where practical, to data subjects in other jurisdictions.

Right of access. You can ask us whether we process your personal data and request a copy.
Right to rectification. You can ask us to correct inaccurate or incomplete personal data.
Right to erasure (right to be forgotten). You can ask us to delete your personal data where one of the grounds in Article 17 GDPR applies.
Right to restriction of processing. You can ask us to limit how we use your personal data in certain circumstances.
Right to data portability. Where processing is based on consent or contract and is carried out by automated means, you can request a copy of your personal data in a structured, commonly used, machine-readable format.
Right to object. You can object to processing based on our legitimate interests, including our initial LinkedIn outreach and direct marketing. If you object to direct marketing, we will stop immediately.
Right to withdraw consent. Where we rely on consent, you can withdraw it at any time.
Right not to be subject to automated decisions. See Section 8.
Right to lodge a complaint with a supervisory authority. You can complain to the data protection authority in your country of residence or place of the alleged infringement. A list of EU authorities is available at edpb.europa.eu. UK residents can complain to the Information Commissioner’s Office (ico.org.uk). Swiss residents can complain to the Federal Data Protection and Information Commissioner (edoeb.admin.ch).

How to exercise your rights. Email privacy@xor.ai with a description of your request. EU, UK, and Swiss data subjects may also contact our representative for the relevant jurisdiction at the addresses listed in Section 1. For security reasons, we may need to verify your identity before acting. We will respond within one month, which may be extended by up to two additional months for complex requests; we will tell you if an extension applies.

We may refuse or charge a reasonable fee for requests that are manifestly unfounded or excessive, particularly repetitive requests, as permitted by Article 12 GDPR.

12. Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law.

Candidate accounts (active): for the duration of your account plus 24 months of inactivity, after which we will delete or anonymize your profile unless you request earlier deletion.
Contractor records: for the duration of your engagement plus 7 years, to comply with tax, accounting, and legal obligations.
Identity document images (Contractors): retained for the duration of the engagement plus 7 years, as required for Know-Your-Contractor and anti-fraud compliance.
Client Contact data: for the duration of the business relationship plus 3 years.
Website visitor logs: up to 12 months.
Marketing contact data: until you unsubscribe or object.
Support tickets and correspondence: 3 years from the last interaction.
Contracts and legal records: 10 years from termination of the contract.

When retention periods expire, we delete or irreversibly anonymize personal data.

13. Cookies and Similar Technologies

Our Website uses cookies and similar technologies to operate the site, remember your preferences, measure marketing performance, and (with your consent) understand how the site is used.

We use the following categories of cookies and tags on our Website:

Strictly necessary cookies, required for the Website to function. These do not require consent.
Marketing and analytics tags, deployed only with your consent through our cookie consent banner. These include: HubSpot (CRM, contact-form handling, and Website analytics); LinkedIn Insight Tag (measurement of LinkedIn ad campaign performance); Microsoft Bing Universal Event Tracking (UET) (measurement of Bing/Microsoft ad campaign performance); Google Ads conversion tracking and Google Analytics (measurement of Google ad campaign performance and Website usage).

Until you grant consent, only strictly necessary cookies are set. You can change your cookie preferences at any time using the “Cookie preferences” link in the Website footer, or by clearing cookies in your browser. Blocking strictly necessary cookies may affect Website functionality.

We honor Do Not Track (“DNT”) signals where technically feasible.

14. Security

We implement technical and organizational measures appropriate to the risks involved, including:

Encryption in transit (TLS 1.2 or higher) and at rest.
Access controls, least-privilege access, and audit logging.
Identity verification and multi-factor authentication for XOR staff.
Secure software development practices, including code review and dependency scanning.
Regular backups and business-continuity planning.
Vendor due diligence and data processing agreements with all sub-processors.
Strict separation between staging and production environments. Production credentials are not used in staging, and no real personal data is stored in staging.

No method of transmission or storage is completely secure. We cannot guarantee absolute security, but we act in accordance with industry-standard practices to protect your personal data.

15. Data Breach Notification

In the event of a personal data breach, we will:

Notify the competent supervisory authority within 72 hours of becoming aware of the breach where required under Article 33 GDPR.
Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required under Article 34 GDPR.
Maintain an internal record of all breaches, regardless of notification thresholds.

16. Marketing Communications

From time to time, we may contact you by email with information about our Services. You can unsubscribe at any time by clicking the link at the bottom of our emails or by emailing privacy@xor.ai.

In compliance with the US CAN-SPAM Act, all marketing emails will identify themselves as such, include our physical business address, and honor unsubscribe requests promptly.

In compliance with the EU ePrivacy Directive and the UK Privacy and Electronic Communications Regulations, we send marketing emails to individuals in the EU and UK only where we have a lawful basis to do so, whether consent or the “soft opt-in” exemption for existing customers.

17. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

Right to know what personal information we have collected, used, disclosed, and sold or shared about you.
Right to delete personal information we have collected from you, subject to exceptions.
Right to correct inaccurate personal information.
Right to opt out of the sale or sharing of personal information. XOR does not sell personal information and does not share personal information for cross-context behavioral advertising.
Right to limit the use and disclosure of sensitive personal information.
Right to non-discrimination for exercising your privacy rights.

To exercise these rights, email privacy@xor.ai. We will verify your identity before responding. You may designate an authorized agent to make a request on your behalf; we will require proof of that authorization.

Categories of personal information collected in the last 12 months (as defined under CCPA/CPRA):

Identifiers (name, email, phone, IP address).
Customer records (professional and employment information, financial information for Contractors).
Professional or employment-related information (CV, skills, work history, rates).
Internet or network activity (browser type, pages visited, clicks).
Sensitive personal information (government-issued ID, bank details for Contractor payments). We use this data only for the purposes described in this Privacy Policy and do not use it to infer characteristics about you.

18. Children's Privacy (COPPA)

Our Services are not directed to children under 16 years old, and we do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.

19. Third-Party Links

Our Website and the Platform may contain links to third-party websites. We are not responsible for the privacy practices of those sites. Please review the privacy policies of third parties before providing them with personal data.

20. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by posting a prominent notice on the Website and, where appropriate, by email. The “Effective from” date at the top of this Policy indicates when it was last updated.

21. Contact Us

For any questions, requests, or complaints regarding this Privacy Policy or our processing of personal data:

EU / EEA / UK / Swiss Data Protection Representative — Data Protection Representative Limited (trading as DataRep) (DataRep client reference: XORI01 — appointment commenced 7 May 2026)

Online request form: datarep.com/data-request
Email: datarequest@datarep.com — please quote “XOR Inc.” in the subject line
Mailing addresses (mark all correspondence to “DataRep”):

EU / EEA (default): DataRep, The Cube, Monahan Road, Cork, T12 H1XY, Republic of Ireland (DataRep maintains additional contact locations in each of the 27 EU member states plus Norway and Iceland — see the online request form for the local address)
United Kingdom: DataRep, 107-111 Fleet Street, London, EC4A 2AB, United Kingdom
Switzerland: DataRep, Leutschenbachstrasse 95, Zurich, 8050, Switzerland

EU Legal Representative under the Digital Services Act — Data Protection Representative Limited (trading as DataRep)

Online request form: datarep.com/data-request
Email: digitalrequest@datarep.com — please quote “XOR Inc.” in the subject line
Mailing address: DataRep, The Cube, Monahan Road, Cork, T12 H1XY, Republic of Ireland
Phone: +353 (1) 919 8899

This Privacy Policy supersedes all prior versions.